Download ACCESS CONTROL OPTIONS FOR WIRED NETWORKS

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
Document related concepts

Computer and network surveillance wikipedia , lookup

Computer security wikipedia , lookup

Security-focused operating system wikipedia , lookup

Unix security wikipedia , lookup

Access control wikipedia , lookup

Network tap wikipedia , lookup

Carrier IQ wikipedia , lookup

Security and safety features new to Windows Vista wikipedia , lookup

Authentication wikipedia , lookup

Distributed firewall wikipedia , lookup

Mobile device forensics wikipedia , lookup

Stingray phone tracker wikipedia , lookup

Wireless security wikipedia , lookup

Mobile security wikipedia , lookup

Cybercrime countermeasures wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Transcript 
SOLUTION BRIEF
ACCESS CONTROL OPTIONS
FOR WIRED NETWORKS
INTRODUCTION
When policy and access control are discussed, there’s usually
an immediate association with wireless and unmanaged
devices such as smartphones and IoT devices. As these
devices are often used outside of the workplace and
normally connect over the air, policy controls and device
profiling efforts have been solely focused on wireless access.
This has led to wired access controls being overshadowed
or not configured at all, leading to security gaps in many
organizations. And as IT Security experts are well aware,
networks are only as strong as their weakest link.
As the modern workplace is full of external personnel such
as temporary workers, contractors, and guests who may
use their personal devices within the workplace, identity and
device visibility have become valuable components during
the authentication and authorization phase. This data is then
used to enforce policies on wireless and wired networks.
But, the growth of IoT devices, that are not associated with a
specific user or group, is now causing security concerns on
the wired network.
Without consistency on the wired network, malicious users can
connect and access corporate resources easily. For instance,
depending on the access switch configuration, users may be
able to access the wired network through an authenticated
device such as an IP phone’s built-in switch port. Even though
there is some form of authentication, it may not necessarily
apply to the devices connected through the IP phone.
When a device plugs into a wired port, the policy engine
can be notified of the new device, and profiling techniques
such as DHCP Fingerprinting or Windows Management
Instrumentation (WMI) can be used to identify the type of
device and the user. With this information, we can validate
this device and user against the Active Directory or a device
database so that appropriate policies can be applied to the
switch port. This means that every device connecting to
the wired network is profiled and evaluated providing much
needed visibility.
Profiling consists of fingerprinting each device as well as the
ability to perform device assessments to better understand
the posture of a device. Methods of profiling and assessment
include DHCP fingerprinting, SNMP scans, NMAP scans, Link
Layer Discovery Protocol (LLDP), Cisco Discovery Protocol
(CDP), Windows Management Instrumentation (WMI),
and more. For Windows laptops, you can perform basic
assessments like seeing if required services exist and if they
are running on each device.
The advantage of using non-AAA enforcement is that there
is minimal configuration, and it allows IT to quickly meet
internal or external audit or compliance demands. You’re
also able to build a comprehensive database of all devices
connecting to the wired network, which becomes more
important as IoT devices emerge in greater numbers.
This paper discusses options that bring wired networks
closer to the same level of control that have been on wireless
OPTION 2: IDENTITY-BASED 802.1X AUTHENTICATION
networks, regardless of access control method, either
802.1X is the most secure option and provides real-time
through secure means or non-AAA enforcement.
certificate or login and password based authentication. You
OPTION 1: NON-AAA ENFORCEMENT
With non-AAA enforcement, the goal on a wired network is
to minimize the effort it takes to deploy a policy enforcement
service. Endpoints do not require a supplicant or agent, which
makes it convenient for laptops, printers, and IoT devices –
many of which do not support an 802.1X supplicant. And, there
is minimal configuration required on the actual switches.
also benefit by performing authentication before a device
receives an IP address. In the non-AAA model, devices receive
limited access to the network before any authentication.
SOLUTION BRIEF
ACCESS CONTROL OPTIONS FOR WIRED NETWORKS
Using 802.1X also provides better options for the
Another advantage is that 802.1X supports logins and
authorization of device privileges. Instead of just VLAN
passwords, or the use of device certificates, which provide a
placement, the use of ACLs, downloadable ACLs, and
higher level of security. Certificates can’t be spoofed. Today,
roles can be used to define access when the status of a
onboarding services can automate the configuration of
device changes. The ability to use granular identity-based
endpoint supplicants and create a database for use when
enforcement also makes it easier to share user information
performing authorization and enforcement. This can be used
with firewalls and other security components for enhanced
on wired, wireless and VPN networks to provide a consistent
downstream policies and threat prevention.
user experience.
But as with anything related to security, there is an
Other advantages include the ability to change the privileges
inverse relationship between convenience and the level of
of connected devices based on their behavior. If multiple
effort needed from IT to implement a model with secure
devices are connected behind a switch port, a change of
policy management.
authorization (CoA) to adjust security policies would not
There are three components that must be in place and
configured for 802.1X to work; a supplicant, an authenticator,
and an authentication server. The supplicant resides on the
endpoint device, the authenticator is the switch in a wired
network, and the authentication server is a AAA component
that typically uses the RADIUS protocol. In today’s world, the
affect all devices, only the target device.
RECOMMENDATIONS
IT security administrators have spent a considerable amount
of time securing the wireless network due to personal
devices, guests, visitors, and contractors requesting
AAA server resides within a policy management solution.
Internet access. However, the wired network has often been
For a wired environment, 802.1X eliminates port VLAN
and compliance requirements are driving the need for wired
configuration issues as each device that connects can
initiate a session for that specific connection. A user can’t
unplug a printer, connect a laptop and gain access to the
printer VLAN. The workflow, once a laptop is connected,
would be to establish the identity of the user and device and
perform a role-based enforcement for that user or device.
Differentiated privileges can be granted based on user and
device role, location, posture of the device, and more. For
devices that do not support 802.1X, you can also use MAC
address based authentication to enable connectivity to the
wired network.
The profiling data that can be captured is similar to what can
be collected in the non-AAA model, but enforcement options
are greater as collected attributes can then be used to
perform runtime changes of authorization based on changes
of a device’s status.
overlooked due to lack of resources. Today, the growth of IoT
networks to receive the same level of attention.
Given that more and more security breaches are targeting
IoT devices on wired networks, our recommendation is
to deploy an option that makes sense for both wired and
wireless networks. For this reason, Aruba ClearPass supports
both non-AAA and secure 802.1X policy enforcement for
wired, as well as wireless networks. ClearPass OnConnect
allows for non-AAA wired enforcement so that customers can
start down the policy and access control path. All devices can
be profiled with user based authorization, all with minimal
configuration on the switching infrastructure.
The more secure 802.1X enforcement model should be
considered for greater policy enforcement options. As it
will require more planning and configuration, if 802.1X is
already being used for a wireless service, ClearPass provides
mechanisms to unify policy enforcement across different
network transport types, all from a single solution.
1344 CROSSMAN AVE | SUNNYVALE, CA 94089
1.844.473.2782 | T: 1.408.227.4500 | FAX: 1.408.227.4550 | [email protected]
www.arubanetworks.com
SO_AccessControlOptions_081516
Related documents
Systems Integration
Systems Integration
Electric Force - Parkland College
Electric Force - Parkland College
The Internet is a global communication network which acts as a
The Internet is a global communication network which acts as a
Discussion Points for 802.21 Security
Discussion Points for 802.21 Security
Teacher Page 24 File
Teacher Page 24 File
Second Presentation
Second Presentation
PowerPoint on web-based learning activity formats
PowerPoint on web-based learning activity formats
Release/Embargo Date: July 9, 2014, 12:01 a.m. C.D.T. Jim Boyer
Release/Embargo Date: July 9, 2014, 12:01 a.m. C.D.T. Jim Boyer
the powerpoint - WordPress.com
the powerpoint - WordPress.com
Chapter 8
Chapter 8
TIA Test 2
TIA Test 2
Accounting for Disclosures Quick Reference
Accounting for Disclosures Quick Reference